next up previous
Next: Comparison to RC Model Up: Role Based Access Control Previous: Role Based Access Control

Model Description

The RBAC access control model as described in [FerKuh92] defines subjects, roles and transactions. A transaction is defined as a transformation procedure plus its necessary data accesses. All subject activities in a system are performed through transactions, but not the system tasks like identification or authentication.

The RBAC model defines three basic rules:

  1. Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role.
  2. Role authorization: A subject's active role must be authorized for the subject.
  3. Transaction authorization: A subject can execute a transaction only, if the transaction is authorized for the subject's active role.

Additionally, transformation procedures, objects and access modes can be separated, and an access function can define, which role executing which transaction may access which objects with which access modes.

In [FeCuKu95], the term operation is introduced, which denotes an access with a certain mode to a set of objects. Roles are then authorized for operations and no longer for transactions or transaction procedures. Also, users are distinguished from subjects. A subject is an active entity, performing operations on behalf of one user at a time, and has a set of active roles, for which the user must be authorized.

Roles may be members of other roles, so that membership in a subrole implies the membership in all parent roles, including all their authorizations. The possible membership in several roles requires the definition of mutual exclusion to preserve separation of duty, i.e., pairs of roles which may not share the same member or, in the revised model, which may not be activated at the same time by the same subject.

Finally, the RBAC model defines static and dynamic capacities of roles, the first being the maximum number of members, the latter the maximum number of subjects having the role activated.

In [Ferraiolo+2001], a NIST standard for RBAC models has been proposed. It adds the notion of user sessions, which allow to selectively activate or deactivate roles within a session. All RBAC features are grouped into Core RBAC, which contains the basic functionality, Hierarchical RBAC to define role hierarchies and Constrained RBAC with Static and Dynamic Separation of Duty Relations. All RBAC separation of duty relates to what roles from the assigned set of roles can be used by a single user at the same time. Of this, mutual exclusion is only a subset.


next up previous
Next: Comparison to RC Model Up: Role Based Access Control Previous: Role Based Access Control
Amon Ott